On Privacy Risks of Public WiFi Captive Portals

Suzan Ali, Tousif Osman, Mohammad Mannan, and Amr Youssef

Concordia University, , Canada {a suzan,t osma,mmannan,youssef}@ciise.concordia.ca

Abstract. Open access WiFi hotspots are widely deployed in many public places, including restaurants, parks, coffee shops, shopping malls, trains, airports, hotels, and libraries. While these hotspots provide an attractive option to stay connected, they may also track user activities and share user/device information with third-parties, through the use of trackers in their captive portal and landing websites. In this paper, we present a comprehensive privacy analysis of 67 unique public WiFi hotspots located in Montreal, Canada, and shed some light on the web tracking and data collection behaviors of these hotspots. Our study re- veals the collection of a significant amount of privacy-sensitive personal data through the use of social login (e.g., Facebook and Google) and registration forms, and many instances of tracking activities, sometimes even before the user accepts the hotspot’s privacy and terms of service policies. Most hotspots use persistent third-party tracking cookies within their captive portal site; these cookies can be used to follow the user’s browsing behavior long after the user leaves the hotspots, e.g., up to 20 years. Additionally, several hotspots explicitly share (sometimes via HTTP) the collected personal and unique device information with many third-party tracking domains.

1 Introduction

Public WiFi hotspots are growing in popularity across the globe. Most users frequently connect to hotspots due to their free-of-cost service, (as opposed to mobile data connections) and ubiquity. According to a Symantec study [41] conducted among 15,532 users across 15 global markets, 46% of participants do not wait more than a few minutes before connecting to a WiFi network

arXiv:1907.02142v1 [cs.CR] 3 Jul 2019 after arriving at an airport, restaurant, shopping mall, hotel or similar locations. Furthermore, 60% of the participants are unaware of any risks associated with using an untrusted network, and feel their personal information is safe. A hotspot may have a captive portal, which is usually used to communicate the hotspot’s privacy and terms-of-service (TOS) policies, and collect personal identification information such as name and email for future communications, and authentication if needed (e.g., by asking the user to login to their social media sites). Upon acceptance of the hotspot’s policy, the user is connected to the internet and her web browser is often automatically directed to load a landing page (usually the service provider’s webpage). 2 S. Ali et al.

Several past studies (e.g., [7,40]) focus on privacy leakage from browsing the internet or using mobile apps in an open hotspot, due to the lack of encryption, e.g., no WPA/WPA2 support at the hotspot, and the use of HTTP, as opposed to HTTPS for connections between the user device and the web service. However, in recent years, HTTPS adoption across web servers has increased dramatically, mitigating privacy exposure through plain network traffic. For example, accord- ing to the Google Transparency Report [17], as of Apr. 6, 2019, 82% of web pages are served via HTTPS for Chrome users on Windows. On the other hand, in the recent years, there have also been several comprehensive studies on web tracking on regular web services and mobile apps with an emphasis on most popular domains/services (see e.g., [14,4,3]). In contrast to past hotspot and web privacy measurement studies, we ana- lyze tracking behaviors and privacy leakage in WiFi captive portals and landing pages. We design a data collection framework (CPInspector) for both Win- dows and Android, and capture raw traffic traces from several public hotspots (in Montreal, Canada) that require users to go through a captive portal before allowing internet access. Challenges here include: manual collection of captive portal data by physically visiting each hotspot; making our test environment separate from the regular user environment so that we do not affect the user’s browsing profiles; ensuring that our tests remain unaffected by the user’s past browsing behaviors (e.g., saved tracking cookies); and creating and monitoring several test accounts in popular social media or email services as some hotspots mandate such authentication. CPInspector does not include any real user infor- mation in the collected dataset, or leak such information to the hotspots (e.g., by using fake MAC addresses). From each hotspot, we collect traffic using both Chrome and Firefox on Windows. In addition to the default browsing mode, we also use private brows- ing, and deploy two ad-blockers to check if such privacy-friendly environments help against captive portal trackers—leading to a total of eight datasets for each hotspot. We also use social logins (Facebook, LinkedIn, Google, Instagram, Twitter) if required by the captive portal, or provided as an option; we again use both browsers for social login tests (two to six additional datasets as we have observed at most three social login options per hotspot). Some hotspots also require the user to complete a registration form that collects the user’s PII—in such cases, we collect two more datasets (from both browsers). Finally, some hotspots collect additional personal information as part of an optional survey. When reporting statistics on tracking domains and cookies, we accumulate the distinct trackers as observed in all the datasets collected for a given hotspot. On Android, we collect traffic only from the custom captive portal app (as opposed to Chrome/Firefox on Windows) as the cookie store of this app is separate from browsers. Consequently, tracking cookies from the Android captive portal app cannot be used by websites loaded in a browser. Recent Android OSes also use dynamic MAC addresses, limiting MAC address based tracking. However, we found that cookies in the captive portal app may remain valid for up to 20 years, allowing effective tracking by hotspot providers. On Privacy Risks of Public WiFi Captive Portals 3

We also design our framework to detect ad/content injection by hotspots; however, we observed no content modification attempts by the hotspots. Fur- thermore, we manually evaluate various privacy aspects of some hotspots, as documented in their privacy/terms-of-service policies, and then compare the stated policies against what happens in practice. Note: by default all our statis- tics refer to the measurements on Windows; we explicitly mention when results are for Android (mostly in Sec.5). Contributions and summary of findings. 1. We collected a total of 679 datasets from the captive portal and landing page of 80 hotspot locations between Sept. 2018 to Apr. 2019. 103 datasets were discarded due to some errors (e.g., network failure). We analyzed over 18.5GB of collected traffic for privacy exposure and tracking, and report the results from 67 unique hotspots (576 datasets), making this the largest such study to characterize hotspots in terms of their privacy risks. 2. Our hotspots include cafes and restaurants, shopping malls, retail businesses, banks, and transportation companies (bus, train and airport), some of which are local to Montreal, but many are national and international brands. 40 hotspots (59.7%) use third-party captive portals that appear to have many other business customers across Canada and elsewhere. Thus our results might be applicable to a larger geographical scope. 3. 27 hotspots (40.3%) use social login or a registration page to collect personal information (19 hotspots make this process mandatory for internet access). Social login providers may share several privacy-sensitive PII items—e.g., we found that LinkedIn shares the user’s full name, email address, profile picture, full employment history, and the current location. 4. Except three, all hotspots employ varying levels of user tracking technologies on their captive portals and landing pages. On average, we found 7.4 third- party tracking domains per captive portal (max: 34 domains). 40 hotspots (59.7%) create persistent third-party tracking HTTP cookies (validity up to 20 years); 4.2 cookies on average on each captive portal (max: 34 cook- ies). Surprisingly, 26 hotspots (38.8%) create persistent cookies even before getting user consent on their privacy/TOS document. 5. Several hotspots explicitly share (sometimes even without HTTPS) personal and unique device information with many third-party domains. 40 hotspots (59.7%) expose the user’s device MAC address; five hotspots leak PII via HTTP, including the user’s full name, email address, phone number, address, postal code, date of birth, and age (despite some of them claiming to use TLS for communicating such information). Two hotspots appear to perform cross-device tracking via Adobe Marketing Cloud Co-op [2]. 6. Two hotspots (3.0%) state in their privacy policies that they explicitly link the user’s MAC address to the collected PII, allowing long-term user track- ing, especially for desktop OSes with fixed MAC. 7. From our Android experiments, we reveal that 9 out of 22 hotspots can ef- fectively track Android devices even though Android uses a separate captive portal app and randomizes MAC address as visible to the hotspot. 4 S. Ali et al.

2 Background and Related Work

In this section, we first provide an overview of public hotspots, and then briefly review related previous studies on hotspots, web tracking, and ad injection. Hotspot access is usually deployed in three forms: captive portal, direct/open- access (no captive portals), or password-protected networks. In captive portal networks, users first go through a captive portal session before getting inter- net access. The captive portal web-page usually displays the privacy policy and/or the terms-of-service (TOS) document, along with some advertisements, and sometimes an option to select their preferred language (for viewing the portal content), and a social login or registration form. After accepting the policy/TOS documents, the user’s browser is often directed to a landing page, as chosen by the hotspot owner. The captive portal is used to make sure that guests are aware of the hotspot privacy policy, collect personal identification information such as name and email for future communications, and authenticate guests if needed. Several prior studies have demonstrated the possibility of eavesdropping WiFi traffic to identify personal sensitive information in public hotspots. For exam- ple, Cheng et al. [7] collected WiFi traffic from 20 airports in four countries, and found that two thirds of the travelers leak private information while using airport hotspots for web browsing and smartphone app usage. Sombatruang et al. [40] conducted a similar study in Japan by setting up 11 experimental open public WiFi networks. The 150 hour experiment confirmed the exposure of pri- vate information, including photos, email addresses, confidential documents, and users’ credentials—transmitted via HTTP. In contrast, we analyze web tracking and privacy leakage within WiFi captive portals and landing pages. Klasnja et al. [23] studied privacy and security awareness of WiFi users by monitoring web traffic of 11 users. The study shows the users’ limited understanding of risks associated with WiFi usage, and a false sense of safety. Web tracking, a widespread phenomenon on the internet, is used for varying purposes, including: targeted advertisements, identity checking, website analyt- ics, and personalization. Web tracking techniques can generally be categorized as stateful and stateless. Eckersley [11] showed that 83.6% of the Panopticlick website [34] visitors could be uniquely identified from a fingerprint composed of only 8 attributes. Laperdrix et al. [25] showed that AmIUnique.org can uniquely identify 89.4% of fingerprints composed of 17 attributes, including the HTML5 canvas element and the WebGL API. In a more recent large-scale study, G´omez- Boix et al. [16] collected over 2 million real-world device fingerprints (composed of 17 attributes) from a top French website; they found that only 33.6% device fingerprints are unique, raising questions on the effectiveness of fingerprinting in the wild. Note that developing advanced fingerprinting techniques to detect the so-called golden image (the same software and hardware as often deployed in large enterprises), is an active research area—see e.g., [24,38]. Several auto- mated frameworks have also been designed for large-scale measurement of web tracking in the wild; see e.g., FPDetective [1] and OpenWPM [14]. In this work, we measure tracking techniques in captive portals and landing pages, and use OpenWPM to verify the prevalence of the found trackers on popular websites. On Privacy Risks of Public WiFi Captive Portals 5

Previous work has also looked into ad injection in web content, see e.g., [37,43]. We use similar methods for detecting potential similar content injection in hotspots since such incidents have been reported in the past (e.g., [45,27,35]).

3 CPInspector on Windows: Design and Data Collection In this section, we describe CPInspector, the platform we develop for measuring captive portal web-tracking and privacy leakages; see Fig. 1 for the Windows variant. As Android uses a special app for captive portal, we modify CPInspector accordingly; see Sec. 5. The main components of CPInspector include: a browser automation frame- work, a data migration tool and an analysis module. Our browser automation platform, which is driven by Selenium [39], is used to visit the hotspot captive portal and perform a wide range of measurements. It collects web traffic, HTTP cookies, WebStorage content, fingerprints, browsing profiles, page source code, and screen shots of rendered pages (used to verify the data collection process). It also saves a copy of the privacy policy, if found. The datasets collected from our evaluated hotspots are parsed and committed to a central SQLite database. CPInspector works on Windows 7/8/10 with Firefox Quantum v60.1.0ESR and Google Chrome v69.0.3497.100 browsers. It is developed using Selenium, Wire- shark 2.6.2+, Node.js 8.1.1.4, WebExtensions, and Python 3.7+.

Browser mation Instrumentation Data Analysis

Private Data Leakage Ad Blockers Web Browsing Extensions

Web Tracking Selenium Wireshark DFPM

Central Output Privacy Policy DB Datasets

Fig. 1. CPInspector components

Capturing traffic. We use Wireshark [47] to capture all traffic between the instrumented browser and the hotspot access point. We filter out traffic gen- erated by normal activities such as anti-virus scanning and Windows updates. Moreover, since some captive portals adopt TLS for communication, we rely on the SSLKEYLOGFILE [20] to decrypt the TLS traffic; we then use Tshark [46] to extract and save the HTTP requests/responses to our database. Identifying third-parties. We identify third-party domains using the hotspot website’s owner. All evaluated hotspots have an official website except Hvmans Cafe, where all domains are classified as third-parties. We primarily use the 6 S. Ali et al.

Python WHOIS library [36] to find domain registration information. In cases where the domain information is protected by the WHOIS privacy policy, we visit the domain to detect any redirect to a parent site; we then lookup the parent site’s registration information. If this fails, we manually review the domain’s Organization in its TLS certificate, if available. Otherwise, we try to identify the domain owner based on its WHOIS registration email; e.g., addthis.com is owned by Oracle as apparent from its WHOIS email domain-contact_ww_ [email protected]. We also use Crunchbase [8] and Hoovers [21] to determine if the organizations are subsidiaries or acquisitions of larger companies; e.g., instagram.com is owned by Instagram, which in turn is owned by Facebook. Identifying third-party trackers. We use EasyList [10] with EasyPrivacy, and Fanboy’s List to identify known third-party trackers. EasyList identifies known advertising-related trackers, EasyPrivacy detects known non-advertising- related trackers, and Fanboy’s list classifies known social media content related trackers. These lists rely on blacklisted script names, URLs, or domains, which may fail to detect new trackers or variations of known trackers. For this reason, we classify third-party trackers as follows: (a) A known tracker is a third-party that has already been identified in the above blacklists. (b) A possible tracker is any third-party that can potentially track the user’s browsing activities but not included in a blacklist. We observed variations of well-known trackers such as Google Analytics, were missed by the blacklists (see Table 3 in the appendix). Email and social login accounts. We registered 27 accounts in total to be used in our experiments (if required by the captive portal), including: 4 Gmail, 1 Yahoo, 3 Microsoft, 8 Facebook, 4 Instagram, 6 LinkedIn, and 1 Twitter. Ad injection detection. Our framework also includes a module to detect mod- ifications to user traffic, e.g., for ad injections. We visit two decoy websites (i.e., honeysites in our control), via a home network and a public hotspot, and then compare the differences in the retrieved content (i.e., DOM trees [13]). The use of honeysites allows us to avoid any false positive issues due to the website’s dynamic content (e.g., news updates, dynamic ads). However, we also include a real website in our experiments (BBC.com). The first honysite is a static web page while the second is comprised of dynamic content that incorporates JavaScript el- ements, iframe tags, and four fake ads. The fake ads were created based on source code snippets from Google Adsense [18], Google TagManager [19], Taboola [42], and BuySellAds [6]. We host the honeysites through Amazon AWS and carefully mimic a realistic website. Data collection. We collected a total of 679 datasets from the captive portal and landing page of 80 hotspots (12 hotspots are measured at multiple physi- cal locations) between Sept. 2018 to Apr. 2019. We stopped collecting datasets from different locations of the same chain-business as the collected datasets were largely the same. We discarded 103 datasets due to some errors (e.g., network failures, incomplete data collection scenarios). We analyzed over 18.5GB of col- lected traffic for privacy exposure and tracking measurements, and report the results from 67 unique hotspots (576 datasets). We discuss the results in Sec. 4. On Privacy Risks of Public WiFi Captive Portals 7

For the ad injection experiments, we collected a total of 368 datasets from crawling the two honey websites and the BBC.com website at 98 hotspots; 11 hotspots are measured at multiple physical locations. We analyzed over 8.7GB of collected traffic for ad injection, and report the results from 87 unique hotspots (368 datasets). We did not observe any content modification attempts.

4 Analysis and Results for Windows

In this section, we present the results of our analysis on collected personal in- formation, privacy leaks, web trackers, HTTP cookies, fingerprinting, and the effectiveness of two anti-tracking extensions and private browsing mode.

4.1 Personal Information Collection, Sharing, and Leaking PII collection. Most hotspots (40; 59.7%) allow internet access without seek- ing any explicit personal data. The remaining 27 hotspots use social login (Face- book, LinkedIn, Google, Instagram), or a registration page to collect significant amount of personal information; 19 of these hotspots mandate social login or user registration. An optional survey is also used by one hotspot. See Table 1. The Hvmans Cafe hotspot reads the user’s profile information and media from Instagram; the profile may include: the user’s email address, mobile phone number, user ID, full name, gender, biography, website, and profile picture. Even after login via Instagram, the user must also complete a form to provide her first name, last name and email address. An option is also given to the user to choose a password for the hotspot. However, there is no login screen to use this password in future visits. Similarly, users must create an account at Michael Kors, where they can use the account email/password to login in future visits. In addition, Nespresso requires an activation code sent via SMS. Five hotspots support single sign-on via LinkedIn (, Mail Champlain, Centre Rockland, and Grevin Montreal). LinkedIn shares the user’s full name, email address, profile picture, LinkedIn headlines, current employment, and basic profile consisting of a large list of PII items, including full employment history, and the current location [28]. By analyzing the used email and social login accounts, we found no activi- ties related to the hotspots on social accounts while 5 hotspots used emails to send promotional messages (Dynamite, GAP, Garage, Telus, and Place Mon- treal Trust). Email is also used to activate WiFi access in YUL Airport, Telus, Hvmans Cafe, and Montreal Science Centre. Sharing with third-parties. Most hotspots share PII and browser/device in- formation with third-parties via the referrer header, the request-URL, HTTP cookie or WebStorage. We identified 40 hotspots (59.7%) that use third-party captive portals where they share PII, including 18 (26.9%) share email address; 15 (22.4%) share user’s full name; 12 (17.9%) share profile picture; 5 (7.5%) share birthday, current city, current employment and LinkedIn headline; see Table 1. We also found some hotspots’ captive portals leak device/browser information to third-parties, including 40(59.7%) leak MAC address and last visited site; 8 S. Ali et al.

Table 1. Personal information collected via social login, registration, or optional sur- veys. The “Powered By” column refers to third-parties that provide hotspot services (when used/identified). F refers to Facebook, L: LinkedIn, I: Instagram, G: Google, T: Twitter, R: registration form, and S: survey; *: personal information is mandatory to access the service.

Hotspot Powered By Name Email Gender Birthday Phone Number Current City Profile Picture Home Town Country Facebook Likes Facebook Friends LinkedIn Headline Current Employment Postal Code # of Children Basic Profile Instagram Media Tweets People You Follow Bombay Mahal Thali* Sy5 FR FR F F * Aislelabs FR FR FR F F F F F Fairview Pointe-Claire* Aislelabs FR FRT FR F F F F F T T Carrefour Angrignon Eye-In FGL FGL FGL L L L Centre Eaton Eye-In FFF Centre Rockland Eye-In FL FL FL L L L Desjardins 360* JoGoGo FFFFRFF Domino’s Pizza R Dynamite* R GAP R Garage* R Grevin Montreal Eye-In FL FL F FL L L S S L Harvey’s* Colony Networks F FR F Hvmans Cafe* Purple FR FR F F F F I I Mail Champlain Eye-In FL FL FL L L L Maison Simmon* R Michael Kors* Purple RRRRRR Montreal Science Centre* Telus R Moose BAWR* Sticky WiFi R Nautilus Plus* R Nespresso* Orange R RRR Roots* Yelp WiFi RR Telus* R Sushi STE-Catherine* MyWiFi R Vua Sandwiches* Coolblue FR FR R F YUL Airport* Datavalet FL FRL FL L L L

18 (26.9%) leak screen resolution; 26 (38.8%) leak user agent; 24 (35.8%) leak browser Information and language; and 15 (22.4%) leak plugins. Moreover, some hotspots leak the MAC address to multiple third-parties, e.g., Pizza Hut to 11 domains, and H&M Place Montreal Trust and Discount Car Rental to six third-parties each. Top organizations that receive the MAC addresses include: Network-auth.com from 21 hotspots, Alphabet 18, Openh264.org 12, Facebook 10, Datavalet 8, and Amazon 6. PII leaks via HTTP. We search for PII items of our used accounts in the collected HTTP Wireshark traffic, and record the leaked information, including the HTTP request URL, and source (captive portal vs. landing page). Three On Privacy Risks of Public WiFi Captive Portals 9 hotspots transmit the user’s full name via HTTP (Place Montreal Trust, Nau- tilus Plus and Roots). In Place Montreal Trust, the user’s full name is saved in a cookie (valid for five years), and each time the user connects to the captive por- tal, the cookie is automatically transmitted via HTTP. Moreover, three hotspots leak the user’s email address via HTTP (Dynamite, Roots, and Garage). In Nau- tilus Plus, a user must enter her membership number in the captive portal. For partially entered membership numbers, the captive portal verifies the identity by displaying personal information of five people in a scrambled way (first and last names, postal codes, ages, dates of birth, and phone numbers), over HTTP. The user then chooses the right combination corresponding to her personal in- formation. We also confirmed that some of this data belongs to real people by authenticating to this hotspot using ten randomly generated partial member- ship numbers. Then, we used the reverse lookup in canada411.ca to confirm the correlation between the returned phone numbers, names, and addresses.

4.2 Presence of Third-Party Tracking Domains and HTTP Cookies Tracking domains. We detect third-party tracking domains using: EasyList, EasyPrivacy, and Fanboy’s List. On average, each captive portal hosts 7.4 third- party tracking domains (max: 34 domains, including 10 known trackers); see Fig. 2. We noticed that the hotspots that use the same third-party captive portal still have a different number of third-parties. For example, for the Datavalet [9] hotspots (YUL Airport, McDonald’s, Starbucks, Via Rail Station, Tim Hortons, CIBC Bank, ), the number of third-parties are 22, 16, 10, 8, 5, 5, and 2 respectively. The hotspots (46; 68.7%) that redirect users to their cor- porate websites, host more known third-party tracking domains—on average, 30.6 domains per landing page; see Fig. 3. We also analyzed the organizations with the highest known-tracker representations. We group domains by the larger parent company that owns these domains. Alphabet, Facebook, and Datavalet are present on over 10% of the captive portals. Alphabet and Facebook are also present on over 50% of the landing pages. HTTP tracking cookies on captive portals. We found 40 (59.7%) hotspots create third-party cookies valid for various duration—e.g., over 5 years from 10 (14.9%) hotspots, six months to five years from 23 (34.3%) hotspots, and under six months from 38 (56.7%) hotspots; see Fig. 4. Via Rail Station, Fairview Pointe-Claire, Carrefour Laval, Roots, McDonald’s, Tim Hortons, and Harvey’s have a third-party cookie from network-auth.com, valid for 20 years. Moreover, YUL Airport, Via Rail Station, , McDonald’s, Starbucks, Tim Hortons, CIBC Bank have a common 1-year valid cookie from Datavalet, except for CIBC (17 days). This cookie uniquely identifies a device based on the MAC address (set to the same value unless the MAC address is spoofed). Some hotspots save the MAC address in HTTP cookies, including CHU Sainte-Justine, Moose BAWR, and Centre Rockland. We also analyze first-party cookies on captive portals; see Fig. 5. 22 (32.8%) hotspots create first-party cookies valid for various durations; 14 (20.9%) hotspots include cookies valid for periods ranging from six months to five years, and 17 10 S. Ali et al.

34 30 27 26 Known Tracker Possible Tracker 24 22

27 20 16 16 16 15 14 22 22 13 19 17 11 11 11 7 10 10 10 9 11 11 8 14 10 10 9 8 9 10 9 8 9 8 6 6 7 5 5 5 5

Unique # Third-Parties Unique 4 4 4 2 3 2 3 2 2 1 2 3 2

Fig. 2. Unique number of third-parties on captive portals (top 20). For example, Hvmans Cafe hosts a total of 34 tracking domains, including 7 known trackers. Note that for all reported tracking/domain statistics, we accumulate the distinct trackers as observed in all the datasets collected for a given hotspot. For list of evaluated hotspots see Table 5 in the appendix.

186 Known Tracker Possible Tracker

40

97 88 79 77 75 146 39 21 67 66 18 63 62 62 60 60 58 18 18 54 52 13 7 51 50 47 46 32 28 26 19 19 9 25 27 15 13 Unique#Third-Parties 67 22 16 58 61 59 57 54 55 36 41 41 43 36 37 34 35 33 27 25 30

Fig. 3. Unique number of third-parties on landing pages (top 20)

(25.4%) hotspots for less than 6 months. Place Montreal Trust saves the user’s full name in a first-party cookie valid for five years; this cookie is transmitted via HTTP. Finally, we analyzed hotspots that create persistent cookies before explicit consent from the user, we found 26 (38.8%) hotspots create cookies that are valid for periods varying from 30 minutes to a year, including Domino’s Pizza, Fido, GAP, H&M, McDonald’s, Roots, Starbucks, and Tim Hortons. HTTP tracking cookies on landing pages. We found 48 (71.6%) hotspots create third-party cookies valid for various durations—e.g., over 5 years from 4 (6.0%) hotspots, six months to five years from 47 (70.1%) hotspots, and under six months from 42 (62.7%) hotspots; see Fig. 9 in the appendix. Prominent exam- ples include the following. Fossil has a 25-year valid cookie from pbbl.com; CIBC Bank has two 5-year valid cookies from stackadapt.com, a known tracker. More- over, H&M, Starbucks, Laura, Fido, Gap Canada, Harvey’s, and Ikea have multi- On Privacy Risks of Public WiFi Captive Portals 11

34 2 Duration < 180 days Duration between 180 days and 5 years Duration > 5 years

20 20 19 19 18 2 16 16 8 6 15 6 1 14 6 13 6 4 4 11 9 4 9 9 9 3 8 Unique # Cookies Unique 1 1 6 6 12 12 13 12 2 4 2 5 5 11 10 11 10 4 1 1 9 8 3 6 6 6 2 2 2 3 4 5 1 3 3 3 2 2

Fig. 4. Number of third-party cookies on captive portals (top 20). Note that for all reported cookies/domain statistics, we accumulate the distinct cookies as observed in all the datasets collected for a given hotspot.

12 12 Duration < 180 days Duration between 180 days and 5 years Duration > 5 years

4 6

5 4 8 1 3 3 3 3 3 Unique # Cookies Unique 6 5 1 1 1 1 2 2 2 2 2 3 3 1 1 111111 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1

Fig. 5. Number of first-party cookies on captive portals (top 20) ple ten-year valid first-party cookies, but their names suggest a relationship with Optimizely [32]. Indeed, JavaScript from optimizely.com creates these cookies, although Optimizely states that they do not create third-party cookies [33].

We also analyzed the first-party cookies on landing pages; see Fig. 10 in the appendix. 41 (62.7%) hotspots create first-party cookies valid for various durations—e.g., over 5 years from 10 (14.9%) hotspots, six months to five years from 42 (62.7%) hotspots, and under six months from 41 (61.2%) hotspots. No- table examples: Fossil has a 99-year valid cookie, Fido has three cookies valid for 68–81 years, CHU Sainte-Justine has a 20-year valid cookie, CIBC Bank has a 19-year cookie, and Walmart has four cookies valid for 9–20 years. 12 S. Ali et al. 47

3 Navigator WebGL Screen

3 Canvas WebRTC Battery Status 6 32 1 28 AudioContext Worker 2 26 24 3 5 2 1 22 20 3 5 5 2 1 35 7 5 2 14

# Fingerprinting Fingerprinting APIs # 7 13 13 13 12 12 11 5 10 9 9 21 20 3 7 5 5 5 5 3 5 3 7 7 6 14 15 3 3 2 2 11 10 9 8 8 8 7 9 7 7 6 6 6 5 4

Fig. 6. Unique number of fingerprinting APIs on captive portals (top 20). Note that for all fingerprinting statistics, we accumulate the distinct APIs as observed in all the datasets collected for a given hotspot. 4.3 Device and Browser Fingerprinting

We analyzed fingerprinting attempts in captive portals and landing pages. We use Don’t FingerPrint Me (DFPM [22]) for detecting known fingerprinting tech- niques, including the screen object, navigator object, WebRTC, Font, WebGL, Canvas, AudioContext, and Battery Status [14,30,29,31]. We use attribute and API interchangeably, when referring to fingerprinting JavaScript APIs. Captive portal. 24 (35.8%) hotspots perform some form of fingerprinting. On average, each captive portal uses 5.9 attributes (max: 47 attributes, including 35 Navigator, 6 Screen, 3 Canvas, and 3 Battery Status); see Fig. 6. We also found 10 (14.9%) hotspots fingerprint user device/browser before explicit consent from the user, including GAP, McDonald’s, and Place Montreal Trust, using 6– 46 fingerprinting attributes. Our manual analysis of the GAP scripts reveals Font fingerprinting by checking the list of installed fonts using the side-channel inference technique described by Nikiforakis et al. [30]. Moreover, 46 (68.7%) captive portals fingerprint device MAC addresses. Landing pages. 51 (76.1%) hotspots perform fingerprinting on their landing pages. On average, each landing page fingerprints 19.4 attributes (max: 117 at- tributes, including 49 Navigator, 9 Screen, 2 Canvas, 3 WebRTC, 50 WebGL, 1 AudioContext, 1 Worker and 2 Battery Status); see Fig. 7. Prominent examples include the following. Discount Car Rental includes script from Sizmek Technolo- gies Inc., which uses a total of 67 APIs (48 WebGL, 12 Navigator, five Screen, and two Canvas APIs). Manual analysis also reveals Font fingerprinting via side- channel inference [30]; this script is also highly similar to FingerprintJS [44]. Discount Car Rental also contains script from Integral Ad Science, which uses 41 attributes, including: 31 Navigator, seven Screen APIs, two WebRTC, and one AudioContext (cf. [14]). The navigator APIs are used to collect attributes such as the USB gamepad controllers using Navigator.getGamepads(), and list MIDI input and output devices using navigator.requestMIDIAccess. H&M and On Privacy Risks of Public WiFi Captive Portals 13

117 1 1 2 Navigator WebGL Screen 3 2 9 Canvas WebRTC Battery Status

AudioContext Worker 64 63 62 50 1 4 5 3 52 3 3 4 2 7 7 3 5

# Fingerprinting APIs # Fingerprinting 6 3 40 39 7 6 34 33 6 29 29 29 28 7 3 27 26 26 2 24 24 24 23 49 49 6 2 2 5 48 46 7 1 8 7 6 5 6 5 1 35 34 6 33 27 2 6 23 27 2 22 23 20 19 18 19 18 19 16 16

Fig. 7. Unique number of fingerprinting APIs on landing pages (top 20) Home Depot host the same JavaScript that collects 42 attributes, including 34 Navigator, six Screen, and two Canvas APIs. Laura has a script from PerimeterX that collects 27 attributes, including 21 Navigator and 6 Screen APIs; manual analysis of the source code reveals WebGL and Canvas fingerprinting.

5 CPInspector on Android

In contrast to Windows, Android OS handles captive portals with a dedicated application. The Android Developers documentation and Android Source docu- mentation omit details of how Android handles captive portals. Here we briefly document the inner working of Android captive portals, and discuss our prelim- inary findings, specifically on tracking cookies on Android devices. Android captive portal login app. Using Android ps (Process Status), we observe that a new process named com.android.captiveportallogin appears whenever the captive portal is launched. The Manifest file for CaptivePortalLo- gin explicitly defines that its activity class will receive all captive portal broad- casts by any application installed on the OS and handle the captive portal. We observe that files in the data folder of this application are populated and altered during a captive portal session; we collect these files from our tests. Capturing network traffic. To capture traffic from Android apps, several readily-available VPN apps from Google Play can be used (e.g., Packet Cap- ture, NetCapture, NetKeeper). However, Android does not use VPN for captive portals. On the other hand, using an MITM Proxy server such as mitmproxy (https://mitmproxy.org/) requires the server to run on a desktop environ- ment, which would make the internet traffic come out of the desktop OS, i.e., the mobile device would not be visible to the hotspot. To overcome this, we set 14 S. Ali et al. up a virtual Linux environment within the Android OS by using Linux Deploy (https://github.com/meefik/linuxdeploy), enabling us to run Linux desk- top applications within Android with access to the core component of Android OS, e.g., Android OS processes, network interfaces, etc. We use Debian and mitmproxy on the virtual environment, and configure Android’s network set- tings to proxy all the traffic going through the WiFi adapter to the mitmproxy server. The proxy provides us the shared session keys established with a destina- tion server, enabling us to decrypt HTTPS traffic. We use tcpdump to capture the network traffic. Data collection and analysis. We visited 22 hotspots and collected network traffic from their captive portals. First, we clear the data and cache of the Cap- tivePortalLogin app and collect data from a given hotspot. Next, we change the MAC address of our test devices (Google Pixel 3 with Android 9 and Nexus 4 with Android 5.1.1) and collect data again without clearing the data and cache. From the proxy’s request packets, we confirm that the browser agent correctly reflects our test devices, and the traffic is being originated from the CaptivePor- talLogin app. Next, we analyze the data extracted from the app. The structure of the data directory is similar to Google Chrome on Android. We locate the .\app_webview\Cookies SQLite file in the data directory, storing the Captive- PortalLogin app’s cookies. We observe that 9 out of 22 hotspots store persistent cookies in the captive portal app; see Fig. 8. These cookies are not erased when the portal app is closed, or when the user leaves the hotspot. Instead, the cookies remain active as set in their validity periods, although they are unavailable to the regular browser apps. Prominent examples include: Tim Hortons inserts a 20-year valid cookie from network-auth.com, and Hvmans Cafe stores a 10-year valid cookie from Instagram. In the captive portal traffic, we confirm that these cookies are in- deed present and shared in subsequent visits, and follow the Same-Origin Policy. Hotspots can use these cookies to uniquely identify and authenticate user de- vices even when the device MAC address is dynamically changed; Tim Hortons hotspot uses its cookies for authentication. However, McDonald’s did not authen- ticate the device even though the cookies were present but the MAC was new.

10 Duration < 180 days Duration between 180 days and 5 years Duration > 5 years 9 3 1 7

4 3 4 4 4 7 1 1 1 3 3 3 Unique # Cookies Unique 1 1 4 4 2 2 3 3 2 2 1 1

Fig. 8. Number of cookies stored on the Android captive portal app On Privacy Risks of Public WiFi Captive Portals 15

6 Privacy Policy and Anti-Tracking

Privacy policy. We performed a preliminary manual analysis of privacy policy and TOS documents from hotspots that appear to be most risky. Roots states clearly in their privacy policy that they use SSL to protect PII, but their captive portal transmits a user’s full name and email address via HTTP. Place Mon- treal Trust transmits the user’s full name via HTTP, and they explicitly state that transmission of information over the public networks cannot be guaranteed to be 100% secure. Nautilus Plus has a very basic TOS that omits important information such as the laws they comply with and privacy implications of us- ing their hotspot. They state clearly that the assurance of confidentiality of the user’s information is of great concern to Nautilus Plus, but they use HTTP for all communications, leaking personal information while they attempt to verify the customer’s identity. Their privacy policy is also inaccessible from the captive portal and omits any reference to WiFi. Dynamite and Garage are two brands of Groupe Dynamite. They transmit the user’s email address via HTTP despite claiming to use SSL. Their privacy policy is inaccessible from the captive portal and omits any reference to the WiFi. GAP explicitly mentions their collection of browser/device information, and they indeed collect 46 such attributes, before the user accepts the hotspot’s policies. Although McDonald’s tracks users in their captive portal (9 known track- ers, 28 fingerprinting attributes), the captive portal itself lacks a privacy policy stating their use of web tracking. Carrefour Laval and Fairview Pointe-Claire perform cross device tracking by participating in the Adobe Marketing Cloud Co-op [2], where they may collect and share information about devices linked to the user. Two hotspots link the users MAC address to the collected personal information, including Roots, Bombay Mahal Thali. Sharing the harvested data with subsidiaries and third-party affiliates is also the norm. Eight hotspots (including Hvmans Cafe, Fairview Pointe-Claire, and Carrefour Laval) state that PII may be stored outside Canada. Ten hotspots omit any information about the PII storage location, including Dominos’s Pizza and Roots. However, five hotspots have their captive portal domain in the US, including Bombay Mahal Thali, Carrefour Angrignon, Domino’s Pizza, Grevin Montreal, and Roots. Three hotspots lack any privacy policy or a TOS document on their captive portals, including Laura, ECCO, and Maison Simmons. Chrome vs. Firefox. On captive portals, we found that the number of third- party tracking domains between Chrome and Firefox browsers differs by 5.3% (Chrome: 353, including 79 known trackers; Firefox: 373, including 81 known trackers). On landing pages, the difference is 7.7% (Chrome: 2021, including 1317 known trackers; Firefox: 1865, including 1201 known trackers). Note that, landing pages generally host more dynamic content compared to captive por- tal pages; also, the Discount Car Rental hotspot lands on msn.com on Chrome and lands on the user’s last visited page on Firefox. Moreover, due to various runtime errors, we could not test some hotspots in Firefox, including Carrefour Angrignon, Centre Rockland, Mail Champlain, and Centre Eaton. 16 S. Ali et al.

The same hotspot captive portal in different locations. 12 hotspots are measured at multiple physical locations. We stopped collecting datasets from dif- ferent locations of the same chain-business as the collected datasets were largely the same. We provide an example where some minor differences occur: Starbucks’ captive portal domain varies in the two evaluated locations (am.datavalet.io vs. sbux-j2.datavalet.io). However, the number of known trackers remained the same, while the number of third-parties increased by one domain. More- over, the --sf-device cookie validity increased from 17 days to 1 year, and the --sf-landing cookie was not created in the second location. Effectiveness of privacy extensions and private browsing. To evaluate the effectiveness anti-tracking solutions against hotspot trackers, we collected traffic from both Chrome and Firefox in private browsing modes, and by enabling Adblock Plus [15] and Privacy Badger [12] extensions—leading to a total of six datasets for each hotspot. Then, we use the EasyList, EasyPrivacy, and Fanboy’s lists to determine whether blacklisted requests or tracking cookies remain in the collected datasets; see Table 2. We only count the domain name of a tracker or advertiser when a request was sent, or a cookie was created. Table 2. The number of unique domains not blocked by our anti-tracking solutions. Ad Block Plus Privacy Badger Private Browsing Firefox 33 180 315 Chrome 117 212 356 Hotspot trackers in the wild. We measured the prevalence of trackers found in captive portals and landing pages, in popular websites—to understand the reach and consequences of hotspot trackers. We use OpenWPM [14] between Feb. 28–Mar. 15, 2019 to automatically browse the home pages of the top 143k Tranco domains [26] as of Feb. 27, 2019. We extracted the tracking persistent (validity ≥ 1 day; cf. [5]) cookie domains from captive portals or landing pages. Then, we counted those tracking domains in the OpenWPM database; see Table 8 in the appendix. For example, the doubleclick.net cookie as found in 4 captive portals and 30 landing pages, appears 160,508 times in the top 143k Tranco domains (mutiple times in some domains). Overall, hotspot users can be tracked across websites, even long time after the user has left a hotspot.

7 Conclusion

Many people across the world use public WiFi offered by an increasing number of businesses and public/government services. The use of VPNs, and the adoption of HTTPS in most websites and mobile apps largely secure users’ personal/financial data from a malicious hotspot provider and other users of the same hotspot. However, device/user tracking as enabled by hotspots due to their access to MAC address and PII, remains as a significant privacy threat, which has not been explored thus far. Our analysis shows clear evidence of privacy risks and calls for more thorough scrutiny of these public hotspots by e.g., privacy advocates and government regulators. We will release our framework for easy replication and measurement in other parts of the world. On Privacy Risks of Public WiFi Captive Portals 17

8 Acknowledgement

This work is supported by a grant from the Office of the Privacy Commissioner of Canada (OPC) Contributions Program.

References

1. Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., G¨urses,S., Piessens, F., Preneel, B.: FPDetective: Dusting the web for fingerprinters. In: ACM CCS’13. Berlin, Germany (Nov 2013) 2. Adobe.com: Adobe experiance cloud: Device Co-op privacy control, https:// cross-device-privacy.adobe.com 3. Binns, R., Zhao, J., Kleek, M.V., Shadbolt, N.: Measuring third-party tracker power across web and mobile. ACM Transaction on Internet Technology 18(4), 52:1–52:22 (Aug 2018) 4. Brookman, J., Rouge, P., Alva, A., Yeung, C.: Cross-device tracking: Measurement and disclosures. In: Proceedings on Privacy Enhancing Technologies (PETS). Min- neapolis, MN, USA (Jul 2017) 5. Bujlow, T., Carela-Espa˜nol,V., Sole-Pareta, J., Barlet-Ros, P.: A survey on web tracking: Mechanisms, implications, and defenses. Proceedings of the IEEE 105(8), 1476–1510 (2017) 6. Buysellads: https://www.buysellads.com 7. Cheng, N., Wang, X.O., Cheng, W., Mohapatra, P., Seneviratne, A.: Characterizing privacy leakage of public wifi networks for users on travel. In: 2013 Proceedings IEEE INFOCOM. Turin, Italy (Apr 2013) 8. Crunchbase: https://about.crunchbase.com 9. Datavalet.com: Datavalet managed WiFi solutions, https://datavalet.com 10. EasyList: https://easylist.to 11. Eckersley, P.: How unique is your web browser? In: International Symposium on Privacy Enhancing Technologies Symposium (2010) 12. EFF.org: Privacy badger, https://www.eff.org/privacybadger 13. Elifantiev, O.: NodeJS module to compare two DOM-trees, https://github.com/ Olegas/dom-compare 14. Englehardt, S., Narayanan, A.: Online tracking: A 1-million-site measurement and analysis. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria (Oct 2016) 15. Eyeo GmbH: Adblock Plus, https://adblockplus.org 16. G´omez-Boix,A., Laperdrix, P., Baudry, B.: Hiding in the crowd: an analysis of the effectiveness of browser fingerprinting at large scale. In: TheWebConf (WWW’18). Lyon, France (Apr 2018) 17. Google: HTTPS encryption on the web, https://transparencyreport.google. com/https/overview?hl=en 18. Google.com: Google AdSense, https://www.google.com/adsense/start 19. Google.com: Google Tag Manager, https://tagmanager.google.com 20. Harris, G.: Secure Socket Layer (SSL), wiki post (Dec 20, 2018). https://wiki. wireshark.org/SSL 21. Hoovers: http://www.hoovers.com 22. Klafter, R.: Don’t FingerPrint Me, https://github.com/freethenation/DFPM 18 S. Ali et al.

23. Klasnja, P., Consolvo, S., Jung, J., Greenstein, B.M., LeGrand, L., Powledge, P., Wetherall, D.: When I am on Wi-Fi, I am fearless: privacy concerns & practices in everyday Wi-Fi use. In: SIGCHI’09. Boston, MA, USA (Apr 2009) 24. Klein, A., Pinkas, B.: DNS cache-based user tracking. In: Network and Distributed System Security Symposium (NDSS’19). San Diego, CA, USA (Feb 2019) 25. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: Diverting mod- ern web browsers to build unique browser fingerprints. In: IEEE Symposium on Security and Privacy (SP). San Jose, CA, USA (2016) 26. Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczy´nski,M., Joosen, W.: Tranco: A research-oriented top sites ranking hardened against manipulation. In: NDSS’19. San Diego, CA, USA (Feb 2019) 27. Medium.com: My hotel WiFi injects ads. does yours?, news article (Mar. 25, 2016). https://medium.com/@nicklum/ my-hotel-WiFi-injects-ads-does-yours-6356710fa180 28. Microsoft.com: Basic profile fields, online documentation (Feb. 13, 2019). https://docs.microsoft.com/en-us/linkedin/shared/references/v2/ profile/basic-profile 29. Mowery, K., Shacham, H.: Pixel perfect: Fingerprinting canvas in HTML5. Pro- ceedings of W2SP pp. 1–12 (2012) 30. Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In: 2013 IEEE Symposium on Security and Privacy. Berkeley, CA, USA (May 2013) 31. Olejnik,L., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Data Privacy Management, and Security Assurance, pp. 254–263. Springer (2015) 32. Optimizely: https://www.optimizely.com/ 33. Optimizely: Guidlines of cookies and localstorage in the Optimizely snippet, techni- cal article (Mar. 20, 2019). https://help.optimizely.com/Set_Up_Optimizely/ Cookies_and_localStorage_in_the_Optimizely_snippet 34. PANOPTICLICK: Panopticlick website, https://panopticlick.eff.org/ 35. PCWorld.com: Comcast’s open WiFi hotspots inject ads into your browser, news article (Sep. 09, 2014). https://www.pcworld.com/article/2604422/ comcasts-open-wi-fi-hotspots-inject-ads-into-your-browser.html 36. Pypi.org: Python WHOIS library, version: 0.7. https://pypi.org/project/whois 37. Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: NSDI’08. San Francisco, CA, USA (2008) 38. Sanchez-Rola, I., Santos, I., Balzarotti, D.: Clock around the clock: Time-based device fingerprinting. In: ACM CCS’18. Toronto, Canada (Oct 2018) 39. Seleniumhq.org: Selenium automates browsers, https://www.seleniumhq.org 40. Sombatruang, N., Kadobayashi, Y., Sasse, M.A., Baddeley, M., Miyamoto, D.: The continued risks of unsecured public WiFi and why users keep using it: Evidence from Japan. In: Privacy, Security and Trust (PST’18). Belfast, UK (Aug 2018) 41. Symantec: Norton WiFi risk report: Summary of global results, tech re- port (May 5, 2017). https://www.symantec.com/content/dam/symantec/docs/ reports/2017-norton-wifi-risk-report-global-results-summary-en.pdf 42. Taboola: Content discovery and native advertising platform, Taboola.com 43. Tsirantonakis, G., Ilia, P., Ioannidis, S., Athanasopoulos, E., Polychronakis, M.: A large-scale analysis of content modification by open HTTP proxies. In: Network and Distributed System Security Symposium (NDSS’18) (2018) 44. Valve: Fingerprintjs by Valve, https://valve.github.io/fingerprintjs/ On Privacy Risks of Public WiFi Captive Portals 19

45. Webpolicy.org: AT&T hotspots: Now with advertising injection, news article (Aug. 25, 2015) http://webpolicy.org/2015/08/25/ att-hotspots-now-with-advertising-injection 46. Wireshark.org: Tshark - Dump and Analyze Network Traffic, online documentation (Mar. 2019). https://www.wireshark.org/docs/man-pages/tshark.html 47. Wireshark.org: Wireshark network analyzer, https://www.wireshark.org 20 S. Ali et al.

Appendix

Table 3. Sample of variations of the same third-party domain.

Third-Party Request-URL Blacklisted https://www.google-analytics.com/r/collect?v=& v=&a=&t=& s=1&dl=&ul=&de=&dt= Yes &sd=&sr=&vp=&je=& u=&jid=&gjid=&cid=&tid=& gid=& r=1>m=&cd1= &cd64= &cd65= &did= &z= https://www.google-analytics.com/j/collect?v=& v=&a=&t=& s=&dl=&ul=&de=&dt=&sd=24- No bit&sr=&vp=&je=& u= &jid= &gjid=&cid=&tid=& gid=& r=&cd1=&cd5=&cd6=&cd8=&cd9=&z=

Table 4. Count of tracking domains from captive portals and landing pages in Alexa 143k home pages (top 10).

Captive Portal Landing Page Tracker Count Tracker Count doubleclick.net 160508 pubmatic.com 326991 linkedin.com 48726 rubiconproject.com 257643 facebook.com 37107 doubleclick.net 160508 twitter.com 14874 casalemedia.com 131626 google.com 13676 adsrvr.org 116438 atdmt.com 5198 addthis.com 83221 instagram.com 3466 demdex.net 83160 gap.com 295 contextweb.com 82965 maxmind.com 294 rlcdn.com 75295 gapcanada.ca 64 livechatinc.com 69919

147 2 Duration < 180 days Duration between 180 days and 5 years Duration > 5 years

81

58 54 53 7 49 48

Unique # Cookies#Unique 40 23 33 32 32 31 64 30 28 28 26 34 17 24 23 22 22 1 21 21 20 18 25 19 14 30 21 17 17 16 10 15 10 21 21 20 23 18 14 14 15 13 14 12 11 7 9 9 7 7 7 3 6 4

Fig. 9. Number of third-party cookies on landing pages (top 20) On Privacy Risks of Public WiFi Captive Portals 21

33 33 Duration < 180 days Duration between 180 days and 5 years Duration > 5 years

4 27 27 1 24 24 23 7 22 12 21 21 6 19 9 1 18 12 9 17 17 17 9 5 1 9 1 14 14 8 13 11 5 8 8 4 11 11 11 Unique # Cookies Unique 9 6 4 1 17 15 5 6 14 14 13 15 12 11 12 10 9 9 10 9 10 8 7 8 6 5

Fig. 10. Number of first-party cookies on landing pages (top 20) Table 5. List of evaluated hotspots

Category Count Hotspot Name Cafe and Restaurant 19 A&W, Bombay Mahal Thali, Burger King, Cafe Osmo, Copper Branch, Domino’s Pizza, Harvey’s, Hvmans Cafe, Juliette Et Chocolat, Mcdonalds, Moose BAWR, Nespresso, Pizza Hut, Pizza Pizza, Starbucks, Sushi STE-Catherine, The Second Cup, Tim Hortons, Vua Sandwiches Retail business 17 Canadian Tire, Dynamite, ECCO, Fossil, GAP, Garage, H&M, Home Depot, IGA, Ikea, Laura, Maison Simmons, Michael Kors, Roots, SAQ, Sephora, Walmart Shopping Mall 12 Atrium 1000, Carrefour Angrignon, Carrefour Laval, Carrefour iA, Centre Eaton, Centre Rockland, Complexe Desjardins, Fairview Pointe-Claire, Mail Champlain, Place Montreal Trust, Place Vertu, Bank 5 CIBC Bank, Desjardins 360, RBC Bank, ScotiaBank, TD Bank Art and Entertainment 4 Grevin Montreal, YMCA, Montreal Science Centre, Place Des Arts Transportation 3 Gare d’Autocars de Montreal, Via Rail Station, YUL Airport Telecom Kiosk 2 Fido, Telus Car Rental 1 Discount Car Rental Gymnasium 1 Nautilus Plus Hospital 1 CHU Sainte-Justine Hotel 1 Fairmont Hotel Library 1 Westmount Public Library